HPE Security – Data Security https://www.voltage.com Email Encryption, Enterprise Cloud Data Protection, End-to-End Encryption, Tokenization, Database Encryption, Data Masking, Key Management Solutions Thu, 20 Jul 2017 23:36:16 +0000 en-US hourly 1 Protecting High Value Government Data https://www.voltage.com/government/protecting-high-value-government-data/ https://www.voltage.com/government/protecting-high-value-government-data/#respond Thu, 20 Jul 2017 22:52:08 +0000 https://www.voltage.com/?p=17270 Throughout federal, state, and local governments, the digital revolution is driving an exponential growth of high value data. Personally identifiable information (PII) is collected on government employees, taxpayers, students, retirees, military personnel, and anyone doing business with the government. This data is a valuable resource that has the potential of transforming the government as we […]

The post Protecting High Value Government Data appeared first on HPE Security - Data Security.

]]>
Throughout federal, state, and local governments, the digital revolution is driving an exponential growth of high value data. Personally identifiable information (PII) is collected on government employees, taxpayers, students, retirees, military personnel, and anyone doing business with the government.

This data is a valuable resource that has the potential of transforming the government as we know it. Big data analytics could allow for better allocation of resources and more efficiency; transparency initiatives could allow better citizen services and more accountability, and data sharing could enable better coordination between agencies in key fields such as national security, healthcare or education. But this same data is also highly prized by cyber-criminals, malicious insiders and nation-states. The challenge is how to protect the data, but in such a way that it can still be safely shared and analyzed by data scientists in its protected form.

Government under attack

High Value Government DataFederal and state government agencies disclosed a total of 203 data breaches between 2010 and 2016, with 72 breaches in 2016 alone. In the majority of cases, government breaches involved Personal information such as names, Social Security numbers, and birthdates. The United States Office of Personnel Management (OPM) alone experienced the theft of PII and security clearance background investigation information for 22.1 million individuals in 2015.

The growth in data breaches is a proof that the most common cybersecurity measures—firewalls, intrusion prevention systems, antivirus software, and other security technology operating at the network and endpoint layers—are increasingly ineffective against advanced cyberattacks, leaving gaps where data is exposed.

The data security challenge

Government entities have some of the same challenges faced by private sector corporations, including:

  • Big data and data sharing: Government agencies are challenged with providing better citizen services and being more transparent, but that requires increased data sharing between agencies and with contractors. It also requires big data analytics and adoption of new technologies to manage the “data lake” such as Hadoop.
  • New technologies and innovations: As the public sector adopts new technologies and innovations, data security becomes more complex. Internet of Things (IoT), mobile and cloud create not only more data for hackers to target, but also increase the surface area for attacks, including more devices, connections, and networks.
  • Legacy systems: A major challenge faced by government agencies is the dependency on legacy applications and platforms with limited native data security options. These sometimes decades-old systems may no longer have vendors that supply patches or otherwise maintain the code, making it vulnerable to hackers.
  • Limitations of traditional security: Common cybersecurity measures only protect data indirectly. For example, firewalls and intrusion prevention systems operate predominately at the network level. Likewise, desktop antivirus software works to stop the spread of malware infections, but none protect data directly.
  • Gaps in data protection: Most data-protection techniques shield only stored data. While helpful when equipment is lost or stolen, it doesn’t protect data when it is in-use. Data is exposed to attack when it is decrypted and retrieved from an encrypted database and before it flows through an encrypted link.

Why data needs a new approach to protection 

In an ideal world, sensitive data travels in well-defined paths from data repositories to a well-understood set of applications. In this scenario, data can be protected by armoring the repository, the links, and the applications using point solutions such as database encryption and SSL network connections.

In real systems, data travels everywhere. Today’s IT environment is a constantly shifting set of applications running on an evolving set of platforms. The data lifecycle is complex and extends beyond the container and application, into offsite backup services, cloud analytic systems, and outsourced contractors.

Data-centric security – a proven approach

Recent advances in data-centric security techniques protect data no matter where it resides, how it is transported, and even how it is used—without increasing complexity and without requiring massive application changes, or impeding mission performance.

An essential part of a layered-defense security strategy, data-centric security includes encryption, tokenization, data masking, and enterprise key management techniques to help effectively protect data from the moment it is ingested, through analysis, to backend storage.

In the private sector, Format Preserving Encryption (FPE) is the main data-centric approach that helps reduce exposure of personal data to cyber thieves or internal threats.

Format preserving encryption (FPE) – Neutralizing data breaches

Format-preserving encryption (FPE) makes it far easier and cost effective for organizations to use encryption. It is critical in protecting sensitive data-at-rest, in-motion and in-use while preserving data format. Traditional encryption methods significantly alter the original format of data. For example, a 16-digit credit card number encrypted with AES produces a long alphanumeric string. FPE maintains the format of the data being encrypted so that a social security number or birth date still look like a social security number or birth date when encrypted. That usually means no database changes and minimal application changes.

FPE enables government organizations to de-identify sensitive personal data without extensively revamping existing IT infrastructure. With FPE, even if a security system is breached, the data is worthless to attackers because it’s encrypted.

However, because the encrypted data looks like the real thing, analysts can still use it to identify patterns, and run queries without decryption. It also allows data to be mobile so it can be moved between systems and shared.

NIST validation brings FPE to government

In 2016, the National Institute of Standards and Technology’s (NIST) released the AES FF1 Format-Preserving Encryption (FPE) mode standard that makes encryption easier using an approved and proven data-centric encryption method for government agencies and contractors. The NIST standard allows the use of FPE to protect sensitive data-at-rest, data-in-motion, and data-in-use while preserving data formats, enabling government agencies to use this breakthrough technology widely used in the private sector.

Format-Preserving Encryption, when properly implemented, enables the protection of all kinds of high value data, from personally identifiable information (PII) to protected health information (PHI) or Classified data types. It also allows safe data sharing, between agencies or with contractors, and deep big data analytics, leveraging Hadoop and cloud. This technology allows security to be layered into decades old legacy systems and applications, and address specific privacy requirements in legislations.

Bottom line: De-identified data should be the natural state of data

Data can be leveraged to usher in an era of better, more efficient government services and programs at all levels. The challenge is how to protect this data when it is used. The solution lies in the fact that the natural state of data in systems should be de-identified data. That would remove all identifiers that could be of value to attackers, while leaving enough data in the clear for analytics and business processes to continue. Only a few select people should have the ability to decrypt the sensitive portions of the data, while a very large number of people should be able to work on projects and leverage the huge treasure trove of available “de-identified” data for the betterment of government.

For more information on how to secure government data, download our new eBook: Protecting High Value Government Data: Data-centric best practices for neutralizing breaches and insider threats while enabling innovation.

The post Protecting High Value Government Data appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/government/protecting-high-value-government-data/feed/ 0
Format-Preserving Encryption Summer Reading https://www.voltage.com/encryption/format-preserving-encryption-summer-reading/ https://www.voltage.com/encryption/format-preserving-encryption-summer-reading/#respond Wed, 19 Jul 2017 21:49:35 +0000 https://www.voltage.com/?p=17239 Hello again, format-preserving encryption enthusiasts and data security fans around the globe! This week we saw an insightful article published into the merits of Format-Preserving Encryption (FPE) backed by well-vetted methods in Connect Converge, the magazine for the HPE NonStop community. Here is another good case for adopting proven security, without compromising performance. Read the […]

The post Format-Preserving Encryption Summer Reading appeared first on HPE Security - Data Security.

]]>
Hello again, format-preserving encryption enthusiasts and data security fans around the globe!

This week we saw an insightful article published into the merits of Format-Preserving Encryption (FPE) backed by well-vetted methods in Connect Converge, the magazine for the HPE NonStop community. Here is another good case for adopting proven security, without compromising performance.

Format-preserving encryptionRead the full article, “Format-Preserving Encryption – And then there was one” by Karen Martin in the Summer issue of Connect Converge.

Let’s recap recent events in the encryption world. The National Institute of Standards and Technology (NIST) originally considered three FPE modes—FF1, FF2, and FF3—as modes of operation of the Advanced Encryption Standard (AES). FF2 did not survive to publication after an attack that demonstrated the security strength of FF2 is less than 128 bits. Recently, FF3 has been broken by researchers Betül Durak (Rutgers University) and Serge Vaudenay (Ecole Polytechnique Fédérale de Lausanne). Note: these attacks are independent of NIST continued endorsement of FF1 format-preserving encryption.

For further background, see our blog post titled, “Can I Trust My Vendor’s Security Claims? Peer-reviewed vs. self-certification methods.”

Moving the discussion forward further, author Karen Martin now continues the conversation in her compelling article and states in her argument:

“The three FFX modes were very similar, but not identical. FF1 was designed to handle longer messages and longer tweaks than the other two algorithms and used a 10-round Feistel network; FF2 was designed for shorter messages and tweaks than FF1 and used a 10-round Feistel network; FF3 fixed the length of the tweak at 64-bits and only used an 8-round Feistel network, which made it slightly faster. The differences in the three modes were slight, but crucial. As of today (May 2017), only FF1 is approved by NIST.”

What do you think? When does it make sense to accept more security risk to improve performance? Or can you achieve the best of both worlds without unnecessary compromise? Read the full article and join the discussion. As always, we’re happy to join the debate with you and help answer difficult questions that separate the proven methods from the empty claims. Happy encrypting!

The post Format-Preserving Encryption Summer Reading appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/encryption/format-preserving-encryption-summer-reading/feed/ 0
Cryptography for Mere Mortals #16 https://www.voltage.com/crypto/cryptography-mere-mortals-16/ https://www.voltage.com/crypto/cryptography-mere-mortals-16/#respond Tue, 11 Jul 2017 22:24:57 +0000 https://www.voltage.com/?p=17110 An occasional feature, Cryptography for Mere Mortals attempts to provide clear, accessible answers to questions about cryptography for those who are not cryptographers or mathematicians: Q: Another crypto headline failure: “AES-256 keys sniffed in seconds using €200 of kit a few inches away“! Now is it time to panic? To quote the original Ghostbusters, is […]

The post Cryptography for Mere Mortals #16 appeared first on HPE Security - Data Security.

]]>
An occasional feature, Cryptography for Mere Mortals attempts to provide clear, accessible answers to questions about cryptography for those who are not cryptographers or mathematicians:

Q: Another crypto headline failure: “AES-256 keys sniffed in seconds using €200 of kit a few inches away“! Now is it time to panic? To quote the original Ghostbusters, is this “…a disaster of biblical proportions… Dogs and cats living together! Mass hysteria!”?

A: No (you knew that was coming). Well, maybe not the “mass hysteria” part.

cryptogrpahyBesides this article being from The Register—well above the standards of Weekly World News, but hardly a serious technical publication—there’s no real news here. Yes, these researchers found that, using relatively low-tech hardware, they could divine the encryption key being used by a specific system, which they were able to exactly copy in advance, and under laboratory conditions. To its credit, the article does note this in the final paragraph—a bit late to calm folks down, of course.

This is like saying that all padlocks are useless because someone figured out how to calculate the combination based on the serial number for a specific model from a specific manufacturer: it overstates the scope of the problem. (Actually, this theoretical padlock issue would be far worse, since it would not require laboratory conditions.)

Indeed, this basic approach is well known: it’s called Van Eck phreaking, and was first demonstrated over 30 years ago. A logical 1 uses power and a logical 0 does not, which means that careful physical measurements of the system can distinguish between them. But it’s not difficult to counter such attacks, and most HSMs and secure smartcards do so, including our HPE Atalla Hardware Security Module (HSM).

The “new” part of this attack is how cheap it’s gotten: the specialized hardware required used to cost thousands of dollars. That’s mildly interesting, if unsurprising: the processing power and memory of your smartphone surpass the aggregate computing resources on the planet a few decades ago!

Again, this is not a cryptanalytic attack against AES (Advanced Encryption Standard): it is an attack against a specific hardware platform running a specific AES implementation, under very specific conditions. So AES is just as secure as it was a couple of days ago, and we can all go back to playing Angry Birds.

The post Cryptography for Mere Mortals #16 appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/crypto/cryptography-mere-mortals-16/feed/ 0
New GDPR-Focused Media Hub Launched By IDG/CIO and Hewlett Packard Enterprise https://www.voltage.com/gdpr/new-gdpr-focused-media-hub-launched-idgcio-hewlett-packard-enterprise/ https://www.voltage.com/gdpr/new-gdpr-focused-media-hub-launched-idgcio-hewlett-packard-enterprise/#respond Tue, 11 Jul 2017 21:59:54 +0000 https://www.voltage.com/?p=17103 Do you have questions regarding the pending enforcement of the European Union’s General Data Protection Regulation (GDPR) and its impact on your business?  If so, look no further — GDPR & Beyond launched this week. GDPR and Beyond is a new online media hub developed for Information Governance and Security professionals looking to understand more […]

The post New GDPR-Focused Media Hub Launched By IDG/CIO and Hewlett Packard Enterprise appeared first on HPE Security - Data Security.

]]>
Do you have questions regarding the pending enforcement of the European Union’s General Data Protection Regulation (GDPR) and its impact on your business?  If so, look no further — GDPR & Beyond launched this week. GDPR and Beyond is a new online media hub developed for Information Governance and Security professionals looking to understand more about GDPR and how it is going to impact a company’s collection, maintenance and protection of its customers’ data.

GDPR’s reach is extensive in that it not only applies to EU companies, but also multi-national organizations that collect personal data of EU citizens. GDPR mandates tighten and deepen governance, data security and data privacy to ensure the adequate protection of the fundamental rights and freedoms of EU citizens with regard to their personal data.

The website, sponsored by Hewlett Packard Enterprise (HPE), features insightful articles, interviews and videos from an experienced and knowledgeable editorial team at IDG/CIO Magazine, with key inputs for selected content from HPE subject matter experts including David Kemp – specialist business consultant, Tim Grieveson – chief cybersecurity strategist, and Sudeep Venkatesh – global head of pre-sales for HPE Data Security.

Below is a sample of the type of interactive content included on the website:

  • How can I find the information and personal data that will fall under these regulations?
  • How can I cost effectively respond to legal matters requiring information under my management?
  • How can I protect, store and securely back up personal data?
  • What types of data protection technologies can help to secure data without breaking business processes?
  • How can I identify information for disposition in accordance with the “right to be forgotten?”
  • Can I report a breach within the timeline required by the EU data protection regulations?
  • How can I reduce my overall risk profile?

GDPR & Beyond aims to foster discussion and idea exchange around the topics of how IT and the lines of business must collaborate to drive GDPR compliance by the May 25, 2018 effective date. Included in the content will be an assortment of educational, thought-leading and opinion-based articles that discuss how organizations’ efforts to comply enable them to become more efficient in their use of data and their ability to mitigate risk.

More content will continue to be posted to the GDPR & Beyond site in addition to current highly valuable articles:

Visit GDPR & Beyond today to learn more about how to prepare for GDPR.

The post New GDPR-Focused Media Hub Launched By IDG/CIO and Hewlett Packard Enterprise appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/gdpr/new-gdpr-focused-media-hub-launched-idgcio-hewlett-packard-enterprise/feed/ 0
Safeguard PHI and build HIPAA compliance with email encryption https://www.voltage.com/email/safeguard-phi-build-hipaa-compliance-email-encryption/ https://www.voltage.com/email/safeguard-phi-build-hipaa-compliance-email-encryption/#respond Tue, 04 Jul 2017 05:37:40 +0000 https://www.voltage.com/?p=17092 How email encryption can help you safeguard healthcare Information and build a HIPAA compliance program. Healthcare institutions are faced with a daunting problem: safeguarding sensitive healthcare and personal information in internal and external email communications. By default, the content of email is unprotected. As an email message travels from sender to recipient, it passes through […]

The post Safeguard PHI and build HIPAA compliance with email encryption appeared first on HPE Security - Data Security.

]]>
How email encryption can help you safeguard healthcare Information and build a HIPAA compliance program.
Healthcare institutions are faced with a daunting problem: safeguarding sensitive healthcare and personal information in internal and external email communications. By default, the content of email is unprotected. As an email message travels from sender to recipient, it passes through servers and across networks that may provide attackers with opportunities to eavesdrop or even to access the content of the email. This could potentially expose protected health information (PHI), personally identifiable information (PII), intellectual property and other sensitive information in the body of the email message and the attached files. And data breaches involving personal health information can result in heavy penalties under the Health Insurance Portability and Accountability Act (HIPAA) guidelines.

email encrpytion

Email could be the most vulnerable IT system in an organization
Until very recently, there was a widespread misperception that email communications were private and secure, but that is definitely not the case. Front-page incidents where the contents of entire email stores—thousands and thousands of messages—were accessed and published, such as the Sony Pictures breach and the incident during the 2016 Presidential campaign have finally brought an end to this misperception. These high-profile breaches have also brought to the forefront an awareness of the staggering costs that can be incurred by the impacted organizations as a result of such email breaches.

Healthcare institutions face so many potential threats against their systems, networks and data that it’s easy to overlook threats against email as well. But the fact is that healthcare records are significant targets for attackers because they typically contain all the information thieves need to perpetrate identity theft, including fraudulently opening lines of credit and filing phony tax refund requests with the Internal Revenue Service. Additionally, thieves can also use the information from medical records to purloin prescription drugs for consumption or resale, or even obtain medical care or surgery under a false name, leaving the real person who owns the account to pay for the fraudulent charges incurred. The Ponemon 2016 Cost of Data Breach report found that the average cost per stolen record in the healthcare industry is approximately $355. Compare that to the estimated $6.00 or less for purchase of stolen credit and debit card information, and it is clear that healthcare information is highly valuable and likely to be targeted by attackers who are motivated by profit. It is also clear that, when multiplied by the tens or hundreds of thousands of records usually involved in a breach, an incident could result in considerable expense to the impacted institution.

On a smaller scale, each of your institution’s emails is individually at risk of unauthorized access. An attacker may want to access the contents of email in order to sell the sensitive information they contain, such as healthcare records; to commit identity theft by misusing personal information; or to gain access to confidential or proprietary information about your institution. The latter could be used in many ways, from planning targeted attacks against the Human Resources department to stealing or even altering research data. These threats can come from both external attackers and insiders, so emails could be at risk even if they never leave your institution’s networks.

Leveraging email encryption to protect your PHI and meet HIPAA compliance
All email encryption technologies are designed to prevent attackers from viewing the contents of emails while in transit. The details of this vary can significantly from product to product, but the fundamental principle is the same. The sender, or a server near the sender, uses a cryptographic key to encrypt the content of the email. The encrypted email is then routed to the recipient, or a server near the recipient, that uses a second cryptographic key to decrypt the content, enabling the recipient to view the email message. Anyone monitoring the networks over which the encrypted email is carried is unable to decrypt it and view the original contents.

Email encryption solutions have become widely used for many reasons, including:

  • Preventing costly and damaging data breaches by protecting sensitive data in transit.
  • Enabling institutions to use cloud-based email and collaboration services by providing a way of protecting those emails.
  • Supporting compliance with a variety of security and privacy legislation and regulations, such as HIPAA and HITECH.

Choosing the Best Email Encryption Solution
It’s important to carefully evaluate potential email encryption solutions for your healthcare institution before selecting one. Putting the wrong solution in place can significantly increase your IT staffing costs for both administration and technical support. It can also frustrate and impede your users, who are likely to circumvent a cumbersome or time-consuming solution and, in doing so, actually make a serious security problem even worse.

To assist you in evaluating potential solutions, here are six differentiators you should be sure to consider when conducting your evaluation of potential email encryption products:

  1. Emails should be protected all the way from sender to recipient.
  2. Emails sent from cloud-based services should also be protected.
  3. Email encryption and decryption should be easy for both senders and recipients to use.
  4. Cloud solutions should offer privacy protection without storing either the email messages or the keys.
  5. Key management should be worry-free for on-premise solutions.
  6. Product should cover all most important customer use cases.

HPE SecureMail is an award-winning solution for protecting sensitive data sent via email within your organization and to outside recipients. A large number of healthcare and life-sciences organizations leverage HPE SecureMail in their Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) compliance programs.

Download our new white paper Safeguarding Healthcare Information and Leveraging HPE SecureMail in Your HIPAA Compliance Program if you are interested in learning more about how to choose the best email encryption solution for your use case.

The post Safeguard PHI and build HIPAA compliance with email encryption appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/email/safeguard-phi-build-hipaa-compliance-email-encryption/feed/ 0
Four pillars of payments security, one solution: Welcome to the age of AKB https://www.voltage.com/payments/four-pillars-payments-security-one-solution-welcome-age-akb/ https://www.voltage.com/payments/four-pillars-payments-security-one-solution-welcome-age-akb/#respond Thu, 29 Jun 2017 21:17:22 +0000 https://www.voltage.com/?p=17081 The retail market relies on payments security, yet encryption hasn’t treated four distinct security fundamentals as a whole—until now. In this ever-growing, evolving world of payments security, encryption and cryptography play important roles by protecting users from the bad guys. While attacks on poorly designed applications are more common, a more sophisticated attack is designed […]

The post Four pillars of payments security, one solution: Welcome to the age of AKB appeared first on HPE Security - Data Security.

]]>
The retail market relies on payments security, yet encryption hasn’t treated four distinct security fundamentals as a whole—until now.

In this ever-growing, evolving world of payments security, encryption and cryptography play important roles by protecting users from the bad guys. While attacks on poorly designed applications are more common, a more sophisticated attack is designed to exploit the weakest link in the chain or algorithm that protects it. To constantly protect from the threats of data breaches, newer and stronger algorithms are needed that also strengthen the chain as a whole. To that end, security methodology fundamentals rely on four key pillars:

  • Identification (who)
  • Authentication (integrity)
  • Authorization (privilege)
  • Confidentiality (encryption)

Multiple advancements have taken place within each pillar. Yet the methodologies or designs only saw them as unique, separate entities—and continued advancement in each point as standalone. Organizations focused on one without treating the four as part of a complete solution yet in reality, these key pillars are interrelated and should be treated as such.

The non-cash retail payment market relies on security. The algorithm’s journey from data encryption (DES) to Triple Data Encryption (TDEA or 3DES) in the early 2000s paralleled the National Institute of Standards and Technology’s approval of and recommendation for organizations to adopt the stronger algorithm. The ease of CPU processing and quantum computing now brings 3DES encryption into question; NIST’s currently recommends migration to Advanced Encryption Standard (AES)—an even stronger algorithm.

Along with the encryption algorithms, further strengthening of security measures resulted from the introduction of the Initialization Vector (IV), which ensures no repetition in the encrypted data (cipher text). IV greatly reduces the ability to detect a pattern and thus disables the possibility of deciphering the cipher text. Thus, the race began to solve the current algorithm problem, while introducing newer weaknesses and a new problem to solve. Yet the race neglected how to address the four key pillars as a whole rather than part by part. Thus, the requirement arose for additional foolproof digital fencing: logical and physical controls.

The middleman cuts in, but AKB holds the key

As the industry looked to address the four key pillars, man-in-the-middle attacks (MiTM) remained a potential problem in cryptography and encryption. MiTM attacks exploit the weakest point in the chain. Not having a strong relationship between the encryption key and its designed attribute (encryption, decryption, exportability, etc.) meant that an interceptor (MiTM) could change the behavior of the outcome.

The Payment Card Industry (PCI) Security Standards Council released a bulletin in March 2017 for PCI PIN Security Requirement 18-3. It provides a revised plan to implement managed structures (called key blocks) to address the individuality of the four pillars. This requires organizations to consider the pillars as a whole—and not individual items. A specification, published in ANSI X9 TR-31, defines the AES key-wrap process, also commonly known as ANSI Key Block (AKB).

AKB was the first market-specified published key block that resolved this by hard binding the key with the intended attributes along with the integrity to ensure that the cipher text hasn’t been modified.

The AKB brings two important features. The key is protected by using the approved key bundling standard requirements, thus greatly reducing MiTM attacks. Additionally, key usage attributes are securely bound to the key itself. This prevents misuse of the key type or its intended use. For example, the key is identified as an encryption key—so it can’t be used to decrypt data or for key exportability.

AKB was the first market-specified published key block that resolved this by hard binding the key with the intended attributes along with the integrity to ensure that the cipher text hasn’t been modified. The AKB brings two important features. The key is protected by using the approved key bundling standard requirements, thus greatly reducing MiTM attacks. Additionally, key usage attributes are securely bound to the key itself. This prevents misuse of the key type or its intended use. For example, the key is identified as an encryption key—so it can’t be used to decrypt data or for key exportability.

With payments disruption and an emerging landscape questioning the status quo—along with increasing non-bank competition such as the Internet of Things, mobile wallets, gift cards and fleet cards brought by commercialization—a greater need exists to ensure the payment market is well protected, while fostering growth and innovation. AKB’s adoption by the regulatory bodies such as PCI will unite the four key pillars into a cogent whole.

 

Priyank Kumar is the product manager for the HPE Atalla HSM. This article originally appeared in the BAI Banking Strategies Executive Report.

The post Four pillars of payments security, one solution: Welcome to the age of AKB appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/payments/four-pillars-payments-security-one-solution-welcome-age-akb/feed/ 0
Cryptography for Mere Mortals #15 https://www.voltage.com/crypto/cryptography-mere-mortals-15/ https://www.voltage.com/crypto/cryptography-mere-mortals-15/#respond Tue, 20 Jun 2017 23:24:59 +0000 https://www.voltage.com/?p=17067 An occasional feature, Cryptography for Mere Mortals attempts to provide clear, accessible answers to questions about cryptography for those who are not cryptographers or mathematicians. Phil Smith III, Senior Architect & Product Manager, Mainframe & Enterprise Distinguished Technologist and Dave Mulligan, Chief Services Strategist, HPE Security – Data Security Q: I heard that National Institute […]

The post Cryptography for Mere Mortals #15 appeared first on HPE Security - Data Security.

]]>
An occasional feature, Cryptography for Mere Mortals attempts to provide clear, accessible answers to questions about cryptography for those who are not cryptographers or mathematicians.

Phil Smith III, Senior Architect & Product Manager, Mainframe & Enterprise Distinguished Technologist and Dave Mulligan, Chief Services Strategist, HPE Security – Data Security

Q: I heard that National Institute of Standards and Technology (NIST) just repudiated the format-preserving encryption (FPE) standard—should we be concerned about that?

A: Maybe. Let’s talk some more about standards. In installment 14, we talked about why standards are important.

Since that post, NIST released Special Publication 800-38G, “Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption”. This included two new modes of AES, FF1 and FF3; FF1 is the Format-Preserving Encryption included in HPE SecureData, proven through almost a decade of real-world use. (For those who are wondering: FF2 was another approach, which was discarded partway through the standards process due to weaknesses found by the standards body’s analysis.)

Great! A new standard, with two choices that achieve similar results! Vendors leapt on the FPE bandwagon and started implementing these new modes in their products. Many of them chose to implement the FF3 mode, and have products available now.

Now comes the bad news: as discussed in April, a problem was found with FF3 that makes it vulnerable to attack. O noes! Standards fail! Maybe standards aren’t so wonderful after all?!

Not so fast. Yes, FF3 has a weakness, and yes, vendors and customers who chose that route have a problem. But it falls in the category of “an honest mistake”, and is one that can be rectified without embarrassment or arguing. Contrast that with having chosen an encryption algorithm not blessed by any standards body: if a weakness is discovered, there’s no good excuse for having chosen it. Worse, without a neutral third party saying “Hey, there’s a problem”, a sleazy vendor could just say “We don’t think this matters, move along, nothing to see here.”

Besides, this weakness was discovered because it was a standard: the cryptographic community tends to focus its analysis efforts on standard-based algorithms. There is a positive feedback loop here: the focus is on standards-blessed algorithms, which encourages customers to use those, which encourages more analysis… The alternative is security by obscurity: a non-standard, untested algorithm might be secure, but nobody knows. Which is hardly a solid basis for a security posture.

Bottom line is, the exception does not invalidate the value of standards, and enterprises examining their choices for data protection would be foolish to select approaches that are not at least on a standards track.

HPE SecureData, of course, has offered FF1 for almost a decade, on a variety of platforms, and is not subject to the weakness that FF3 suffers from. We take a conservative approach in designing our solutions, and FF1 includes extra internal “rounds” (iterations) that increase its security, helping to guard against new attacks such as the one that makes FF3 vulnerable. This is just one reason enterprises that have done the analysis consistently choose HPE SecureData to protect their information.

Meanwhile, companies using an FF3-based approach must act, as discussed in the April post here. If data protected using FF3 is breached, the data will of course still be less vulnerable than if it were not protected at all, but the organization will not be able to claim exemption from data breach disclosure rules. This means they must take the same steps as if the data were not protected at all: suffer disclosure, fines, etc. Considering the full costs of this remediation, it is clear that taking security shortcuts carries significant risk; The 2016 Ponemon Cost of Cyber Crime Study reported that the total average cost for a breach is now $7 million!

The post Cryptography for Mere Mortals #15 appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/crypto/cryptography-mere-mortals-15/feed/ 0
HPE Security leverages Demo Platform to help educate prospects https://www.voltage.com/hpe-securedata/hpe-security-leverages-demo-platform-help-educate-prospects/ https://www.voltage.com/hpe-securedata/hpe-security-leverages-demo-platform-help-educate-prospects/#respond Thu, 15 Jun 2017 20:41:31 +0000 https://www.voltage.com/?p=17060 How do you quickly get your solution benefits in front of key prospects?  Well, HPE Security – Data Security is leveraging the Consensus Interactive Video demo platform both internally and with our HPE Partners to send customized video demo emails.  Consensus has just hit ONE MILLION VIEWS this month! Our robust data encryption solutions offer […]

The post HPE Security leverages Demo Platform to help educate prospects appeared first on HPE Security - Data Security.

]]>
How do you quickly get your solution benefits in front of key prospects?  Well, HPE Security – Data Security is leveraging the Consensus Interactive Video demo platform both internally and with our HPE Partners to send customized video demo emails.  Consensus has just hit ONE MILLION VIEWS this month!

Our robust data encryption solutions offer many benefits to our customers and it is hard to sum them all up in a just few bullet points. That’s what makes it so great to partner with Consensus for these educational videos. Not only can we quickly and succulently feature our benefits, customers can tailor these videos to only view the features that are important to them with the interactive platform. An added benefit of using the Consensus platform is that a viewers can easily pass along these videos to a colleague inside their organization who also might benefit from learning more about our solutions.

The Consensus platform doesn’t aim to replace in-person interactions between salespeople and prospects, but rather, enhance them.

After an HPE or HPE Partner prospect watches one of our video demos, the salesperson gets immediate back-end analytics to see how that prospect interacted with the demo, or if they shared it with anyone else in their organization which helps build a prospect database.  Consensus has a patented personalization engine that engages people quickly and enables our HPE Partners to deliver the video demos with their personalized Partner logos and branding.  For our HPE Distributors, they can see which of their individual Resellers are leveraging the technology to drive campaigns and lead generation in a parent/child relationship and track ROI. Equipping our Partners with these educational interactive video demos to help grow new opportunities and fill their pipeline is critical.  Their customer base can be educated and helps our Partners to upsell or cross sell our data protection solutions more quickly and easily.

Recent research done by CEB has shown that by the time a sales person gets engaged with an opportunity 57% of the buyer’s journey is complete.  Prospects do a lot of “self-research” prior to engaging with a company’s salesperson. This is one of the reasons the demos are so effective.

At HPE Security – Data Security, we’ve created interactive video demos for our HPE Enterprise Secure Key Manager (ESKM) and HPE SecureMail encryption solutions. Prospects are able to choose-their-own viewing journey by determining which modules in the video are important to them. Based on their choices, a longer or shorter video plays – tailoring the experience to their particular needs.

But don’t take my word for it. The Consensus player also allows us to load and send our HPE SecureData “customer testimonial” videos in the same manner with a single play button delivered directly via email.  Our prospects can hear about our data protection and encryption products from our satisfied customers in the financial and payments space, supply chain and healthcare platforms, travel, movies studios and more.

HPE Security – Data Security and our Partners who are leveraging the technology are operating more efficiently because prospects come to the sales conversation already educated and ready to talk specifics, their specifics. This efficiency shortens sales cycles and increases close rates.  We’ve also translated our videos to Spanish, Portuguese, French, German and Italian to help drive worldwide adoption.

To view our HPE Data Security Solution Interactive Video Demos visit these links below:

  • HPE ESKM – ESKM is an Oasis KMIP compliant secure appliance that generates, protects, serves, and audits the use of encryption keys throughout their entire life cycle.
  • HPE SecureMail – Winner of the Cybersecurity Excellence Award for email security, HPE SecureMail offers end-to-end email protection that is easy to use.
  • HPE SecureData – The best data protection is powerful encryption and tokenization technologies that render the data useless and neutralize the impact of data theft. See how HPE SecureData protects credit card data, personally identifiable information, and regulated healthcare information.
  • Office 365 – HPE SecureMail adds end-to-end protection to your Office 365 deployment, enhancing the security, privacy, and usability.
  • HPE SecureMail Cloud – HPE SecureMail Cloud provides end-to-end protection for emails, files and documents in a lightweight software-as-a-service (SaaS) package.

To hear more about HPE and HPE Partners usage of these videos, listen to my interview:

And check out the above Consensus videos on data security and encryption yourself, and create your own personal demo experience!

The post HPE Security leverages Demo Platform to help educate prospects appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/hpe-securedata/hpe-security-leverages-demo-platform-help-educate-prospects/feed/ 0
Can I Trust My Vendor’s Security Claims? Peer-reviewed vs. self-certification methods https://www.voltage.com/encryption/can-trust-vendors-security-claims-peer-reviewed-vs-self-certification-methods/ https://www.voltage.com/encryption/can-trust-vendors-security-claims-peer-reviewed-vs-self-certification-methods/#respond Thu, 08 Jun 2017 22:15:39 +0000 https://www.voltage.com/?p=17044 Format-preserving encryption (FPE) is in the news recently, as two researchers demonstrated a cryptanalytic attack on one method that NIST had endorsed—FF3. NIST now expects to revise their endorsement of FF3 (Special Publication 800-38G) after details of the attack are published to either change the FF3 specification or withdraw approval. It’s important to be aware, […]

The post Can I Trust My Vendor’s Security Claims? Peer-reviewed vs. self-certification methods appeared first on HPE Security - Data Security.

]]>
Format-preserving encryption (FPE) is in the news recently, as two researchers demonstrated a cryptanalytic attack on one method that NIST had endorsed—FF3. NIST now expects to revise their endorsement of FF3 (Special Publication 800-38G) after details of the attack are published to either change the FF3 specification or withdraw approval. It’s important to be aware, this news is independent of NIST continued endorsement of FF1 format-preserving encryption (FPE).

However, this very review process—of a publication leading to expert analysis and subsequent revision for any newly discovered weakness—is precisely how we obtain trustable security systems. Without it, we must simply rely on obfuscation and hope from the words of sales reps, none of which is reliable for meeting the security requirements of today’s increasingly high-risk, technically-sophisticated world.

Nonetheless, since the FF3 attack was revealed a little over a month ago, fear, uncertainty, and doubt has started to emerge. Some of this is natural , as enterprises review options and understand impact. However opportunistic vendors might be attempting to re-direct the conversation to  often-confusing alternatives to FPE. Perhaps worse, some may be denigrating  the process of public review.

Proven in use by the largest organizations, FPE is an industry-defining breakthrough invention by HPE that has been securing the world’s most critical data, from financial information and health care data to sensitive identity records, and more. While HPE’s FIPS-validated FF1 implementation of FPE is not affected by the attack on FF3, it’s worth understanding a bit of the confusion about the NIST process impact.

For reference on HPE’s FPE position, refer to our last blog topic where we review HPE’s FIPS-validated format-preserving encryption, “At HPE, Strong AES FF1 Crypto and NIST Standards Matter

So what is the current status and what’s new since the attack was announced?

  • HPE customers using HPE SecureData based on FF1 encryption methods are not affected—it is still business as usual for the industry’s first FIPS-validated solution available for FPE that uses the robust FF1 method based on security proofs
  • No new compromises in the cryptanalytic attack status since April 12 for FF3, and
  • NIST has not yet determined next steps for FF3

With the above in mind, it’s worth looking at the reality of the current situation:

The NIST gold standard for security assurance helps determine vendor-independent trust
NIST standards and recommended best practices remain the benchmark of credible security assurance, both in federal markets as well as commercial. Notably, HPE continues to offer the only FIPS-validated FPE solution on the market with HPE SecureData with Hyper FPE based on FF1.

With heavy scrutiny and open challenges that are out in the public domain, security experts realize it’s more credible to be held subject to public peer review that helps remove the mystery of security compliance, than to simply take at face value vendors’ assurances . Trust should be earned and NIST remains the benchmark with public transparency in mind. Security vendors must welcome the critical public scrutiny of due process.

Alternatives to FPE may not be a relevant substitute
Traditional tokenization methods or AES encryption, for example, may not best offer the data masking flexibility, application usability with underpinned security, and similar values that make FPE best for data security applications where data in use protection is critical. And this assumes those alternative technologies are fully qualified as a starting point. Even so, relying on less flexible encryption approaches may not fit the needs of today’s modern application requirements, such as Big Data or IoT, where massive scale and usable data analytics are business concerns where FPE can help offer a perfect solution fit.

So with vendor credibility in mind, what should I consider to help ensure a trusted approach to FPE?
It’s important to understand how solutions are vetted to meet your needs vs. ambiguous claims that emerge:

Published methodology: Look for vendors willing to publish their methods for peer review and meet publicly-accepted standards. Peer review analysis helps ferret out methods and secrets, remove obfuscation, and avoid hiding behind claims, in hopes of achieving acceptable security methods.

Reliance on questionable expertise: Be leery if methods haven’t been analyzed by multiple, independent, expert third parties to help ensure credibility. Similarly, avoid methods that only examine security in terms of “brute force” risk. This is analogous to claiming, “the door can’t be broken,” when the lock itself is completely flawed. Whereas, NIST and similar industry standards bodies open up review to a wider audience who understand the credibility that these standards bodies have at stake.

The bottom line to remember is this—the cryptanalytic attack and review of FF3 is precisely welcoming of the wide scale and diverse scrutiny that ensures validation meets stringent security assurance criteria. Through process and procedure, potential technology adopters have an independent and trusted reference that supports maintaining a high bar for trustworthiness.

With HPE’s FF1 method, security was not compromised at the expense of performance shortcuts, as the design was prioritized to be secure against the variety of attacks, such as what compromised FF3. Nonetheless, public scrutiny is welcome, as it’s better to recognize exploits before they happen in the wild by more sinister actors.

While HPE customers using SecureData FPE solutions based on FF1 are not directly affected by the FF3 news, it’s easy to get caught up in the confusion of competing arguments and start to have doubts. We’re happy to continue the conversation by contacting us for more information to help guide you toward smarter, well-vetted, technology choices.

For more information, contact HPE Security – Data Security or your local HPE representative.

The post Can I Trust My Vendor’s Security Claims? Peer-reviewed vs. self-certification methods appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/encryption/can-trust-vendors-security-claims-peer-reviewed-vs-self-certification-methods/feed/ 0
Retrofitting data protection into existing applications https://www.voltage.com/hpe-securedata/retrofitting-data-protection-existing-applications/ https://www.voltage.com/hpe-securedata/retrofitting-data-protection-existing-applications/#respond Thu, 01 Jun 2017 20:15:53 +0000 https://www.voltage.com/?p=16977 A transparent data protection solution is often the only way to retrofit data protection into existing applications. Data is protected on ingress/egress to the application without requiring any application changes. As such, it is also the easiest data protection solution to implement and deploy. The implementation consists of 3 major steps: Designing the appropriate data […]

The post Retrofitting data protection into existing applications appeared first on HPE Security - Data Security.

]]>
A transparent data protection solution is often the only way to retrofit data protection into existing applications. Data is protected on ingress/egress to the application without requiring any application changes. As such, it is also the easiest data protection solution to implement and deploy. The implementation consists of 3 major steps:

  • Designing the appropriate data protection model
  • Defining the level of access that each application will have to different types of data
  • Configuring the transparent data protection solution.

On the HPE Nonstop server, transparent data protection is commonly implemented through I/O intercept libraries. Multiple data protection solutions are available. In this article we look more closely into the HPE SecureData Transparent Data Protection solution and how it enables and facilitates enterprise wide data protection.

Data-centric Security

Data-centric Security refers to a type of data security where all sensitive data is protected all of the time except when used by authorized applications that have the necessary access rights to see only the plain data they are explicitly authorized to see. This level of data protection can only be achieved if data is protected at the field level (not volume or other macro level) from the moment of first time entry/creation and throughout the data lifetime.

Data-centric Security is necessary for achieving data protection in any information systems that consists of multiple processing entities collaborating while using parts or elements of the data. This is illustrated in Figure 1.

Any insular data protection systems will expose vulnerabilities as they introduce points at which the data is not protected. Data may be revealed before being channel protected (for instance, with SSL encryption) or at the other end of the connection, before it is encrypted for the next hop. Data-centric security protects the sensitive data throughout the enterprise, regardless of the underlying transport or storage mechanism.

Enterprise Data Protection Challenges

Enterprise-wide data protection invariably relies on data-centric security. Within a large enterprise the number of platforms, systems, and applications needing access to enterprise data is frequently very large. This creates two unique challenges:

  1. The availability of the data protection solution on ALL the enterprise platforms. This includes: HPE NonStop, z/OS, HP-UX, Solaris, AIX, various versions of Windows, Linux, various web platforms, embedded and mobile platforms, etc. A large variety of applications on those platforms have to obey the same data-access and data protection policies.
  1. Any data protection solution requires high-availability and high-performance access to the protection artifacts, be it encryption keys, a tokenization database or a tokenization table. Typically, encryption keys are stored in key vaults which need to be synchronized and replicated for high availability access. This significantly complicates the data protection solution for several reasons caused by the need to have all keys being stored in all key vaults used physically. This may amount to millions of keys being replicated across vaults which creates challenges such as:
    • distributed state synchronization
    • resource availability
    • high availability
    • security
    • and performance

HPE SecureData Transparent Data protection meets these challenges with the following technologies:

  1. Stateless key management which allows the elimination of key vaults.
  2. Standards based format-preserving encryption.
  3. Standards based stateless tokenization.
  4. Enterprise-wide protection format enforcement.
  5. State-of-the art HPE Nonstop transparent data protection using I/O Intercept.

The remainder of this articles provides an overview of these technologies in the context of the overall solution.

Stateless Key Management

HPE Stateless Key Management uses the concept of canonical user identities in conjunction with crypto district base derivation keys to remove the need for storing keys in key vaults and instead deriving keys on demand just-in-time for use by protect/reveal operations of authorized entities.

Management consoles of key servers allow creation of crypto districts which include creation of base keys for different crypto algorithms supported such as AES, FFX, TDES, IBE BB, IBE BF, etc.1 These base keys are created on an HSM utilized by the key server. The base key can only be used in an HSM associated with the key server. Once the key server receives a request to derive a key for an identity by a client, it authenticates the client and then requests the HSM to derive the client key.

The only key related state in the HPE Stateless Key Management system are the sets of base keys for the configured crypto districts. This state is manually replicated in minutes at the time key servers are first configured which allows the simple high availability key management architecture.

HPE Stateless Key Management eliminates the issues associated with statefull key management using key vaults such as distributed state synchronization, key replication resource, performance, and security issues due to the need to synchronize key stores across key vaults.

Standards Based HPE Format-Preserving Encryption and Tokenization

HPE Format-Preserving Encryption (FPE) and HPE Secure Stateless Tokenization enables in-place substitution of plaintext with ciphertext using standard crypto algorithms such as AES.

The use of standards based cryptography is essential. Open standards are vendor agnostic and remove risks. Non-standard and unpublished crypto has security and liability implications, e.g. organizations cannot claim safe harbor exceptions in the case of a breach.

HPE Format-Preserving Encryption is standardized as a mode of AES in NIST SP800-38G. HPE Security – Data Security contributed the framework to all modes of Format-preserving Feistel-based Encryption (FFX) – X indicates that the framework can be instantiated in different ways.

HPE’s Secure Stateless Tokenization (SST) falls under the ANSI X9.119 part 2 standard, which is still in draft status.

Enterprise-wide Policy Based Security

HPE SecureData Enterprise Policy management system enables fine-grained data-protection and controlled data-access across the enterprise. It also enables application of uniform security policies across the enterprise, application of key-management policies across the enterprise such as:

  • key rollover
  • key revocation
  • adaptability to connectivity issues

Distributed entities in a heterogeneous environment use policy information to protect/reveal a data item without having to synchronize with each other.

All HPE SecureData clients pull the clientPolicy.xml policy information from the HPE SecureData Policy Server which is hosted on the same systems as the key server.

The clientPolicy.xml needs to be loaded by any native client before any protection/reveal operations can be performed. The policy defines:

  • crypto parameters, policy, and key hard/soft refresh settings which enable a highly-available solution configured to sustain maximum equipment replacement timeframes,
  • default values for parameters such as the default identity time stamp and default crypto districts
  • key number tables and protection format definitions

HPE NonStop Transparent Data Protection Using I/O Intercepts

HPE SecureData Transparent Data Protection for HPE NonStop is based on XYPRO’s XYGATE Data Protection (XDP) product.

XDP was designed and engineered to integrate with HPE SecureData Enterprise on HPE NonStop. XDP integrates seamlessly with HPE SecureData and allows for simple, comprehensive data protection with minimal impact on your applications and databases.

Within HPE SecureData Transparent Data Protection, the XDP intercept seamlessly provides both HPE SecureData Payments and HPE SecureData Enterprise functionality. This deep integration includes configurability of various fine-tuning mechanisms, such as:

  • Persistent and non-persistent caching which enables various HPE Nonstop standalone modes in case of failures, at cold-start, or for performance reasons;
  • Entropy-source selection for use in SSL and otherwise;
  • Use of payments and enterprise formats;
  • Field-level authorization group mapping to different HPE SecureData crypto districts with distinct authentication/authorization rules;
  • Field-level protection mapping to protection servers.

The intercept itself supports various modes of the Enscribe native hierarchical database as well as SQL databases with sensitivity to peculiarities of in place-substitution of the role of various record filed values.

Summary

Transparent data protection closes the data protection gap in cases where API level protection is not an option. It also provides the fastest and easiest data protection integration for many use cases. HPE SecureData Transparent Data Protection is unique in its ability to provide a surprising simple, complete data-centric solution for any size system or enterprise.

 

Authors:

Dr. Branislav Meandzija is a Technology Leader at HPE Security – Data Security. Branislav joined HP/HPE in 2015 as part of the Voltage Security Inc. acquisition. At Voltage since 2008, he was the engineering manager responsible for all of SecureData from 2008 through 2011, and Core Crypto, SecureData Payments and all SecureData NonStop platform engineering efforts from 20011 to 2015. Since 2015 Branislav spearheads the technology side of different Data Security projects including the HPE SecureData Transparent Data Protection effort on NonStop.

Andrew Price is VP of Technology at XYPRO. He joined XYPRO in 2011, and has over 25 years’ experience in the mission-critical IT industry. Prior to joining XYPRO, Andrew was with ACI Worldwide for over 11 years, where he held roles in Product Management, Development and Architecture. At XYPRO, Andrew has engineering and product management responsibility for the XYGATE suite of products, ensuring that they continue to meet XYGATE users’ stringent requirements for security and compliance on the HP NonStop. He can be reached at andrew.price@xypro.com

 

1 AES stands for Advanced Encryption Standard; FFX stands for Format-preserving, Feistel-based Modes of AES- both AES and FFX are NIST standards; TDES stands for Triple Data Encryption Standard and is an ANSI standard; IBE stands for Identity Based Encryption, both IBE BB and BF are ISO standards

The post Retrofitting data protection into existing applications appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/hpe-securedata/retrofitting-data-protection-existing-applications/feed/ 0
Join HPE Security at the Gartner Security & Risk Management Summit https://www.voltage.com/security/join-hpe-security-gartner-security-risk-management-summit/ https://www.voltage.com/security/join-hpe-security-gartner-security-risk-management-summit/#respond Thu, 25 May 2017 20:16:50 +0000 https://www.voltage.com/?p=16966 June is right around the corner, which means it is time for the Gartner Security & Risk Management Summit in National Harbor, MD.  This annual gathering of security and risk management leaders helps organizations prepare for and head off increasingly dangerous cyber threats. The Summit takes place from June 12-15 and this year’s theme is: […]

The post Join HPE Security at the Gartner Security & Risk Management Summit appeared first on HPE Security - Data Security.

]]>
June is right around the corner, which means it is time for the Gartner Security & Risk Management Summit in National Harbor, MD.  This annual gathering of security and risk management leaders helps organizations prepare for and head off increasingly dangerous cyber threats. The Summit takes place from June 12-15 and this year’s theme is: Manage Risk. Build Trust. Embrace Change.

GartnerWho typically attends? Gartner reports that over 3,000 attendees such as CIOs, CISOs, security analysts and architects, and other related security professionals descend on DC for this annual event. The agenda addresses the latest threats, flexible new security architectures, data privacy, governance strategies and the role of the chief information security officer (CISO).

HPE Security at Gartner

HPE Security feels this show is so important to help educate security professionals that we are a premier sponsor, with a theme of “Fearlessly Innovate.” We are in a period of disruptive change, where success is achieved by innovating faster than the competition. Innovating means adopting technologies that increase productivity, lower costs and extend businesses into new markets. In this environment, organizations that rapidly design, deploy and adapt IT based on the needs of customers, partners and employees cannot be slowed down by security. However, not considering risk in an increasingly connected world jeopardizes innovation.

We feel that security must accelerate, not impede innovation.  We help you build security directly into your data and your apps. We provide the visibility, analytics and automation to rapidly detect, respond to, and remediate threats at scale.

There are many ways to interact with HPE Security and educate yourself in protecting your users, apps and data.

  • Stop by our booth
  • Set up 1:1 meetings with our Security Experts
  • Attend our Solution Provider Session
  • Visit our Learning Labs

Visit our Booth

Visit us at Booth #103 to see live demonstrations of our industry leading Data Security, ArcSight and Fortify product offerings. At the booth, you can set up your 1:1 meeting with our security experts.

Solution provider session:

Join the SIEM Revolution: Q&A Exploring Today’s Intelligent Security Operations 
Today’s Security Operations are facing new disruptors: the sheer scale and variety of data sources, persistent and adaptive threats, and shortage of cybersecurity experts. It requires a revolutionary transformation of SecOps. Join us for a provocative Q&A session with experts managing security operations for some of the world’s largest government and commercial organizations. Hear first-hand stories about how these pros are addressing the toughest security challenges and providing new levels of defense for their businesses.
Date: Monday, June 12
Time: 3:15pm – 4:00pm
Session ID: SPS14

Learning Labs:

New this year at the Gartner Security & Risk Management Summit are learning labs. HPE Security will host several learning labs to educate attendees on various topics including protecting against cyber threats, securing DevOps and data-centric protection for your most valuable data. See the detailed descriptions below and plan to attend the ones that are most relevant.

Data-Centric Protection for Your Most Valuable Data
Are you leaving your most important asset, your data, unattended? Discover how to neutralize breaches, comply with legislation and protect your most valuable data. Data-Centric security protects sensitive data at-rest, in-motion and in-use while powering Omni-Commerce, Cloud and Big Data. Join us to learn why AES FF1 is a strong, vetted, resilient NIST and FIPS validated mode of encryption that enables you to protect your most valuable data.

The new rules of engagement to protect against cyber threats
While organizations agree that protecting against cyber-threats is a top-priority, it is becoming increasingly difficult to pin point what EXACTLY needs to be done to achieve that. In this session, we will look at the three underlying disruptors that are responsible for today’s cyber-attacks and then dive deep into the strategies that intelligent SOCs are adopting to fight against it.

Advances in application security: harness the power of machine learning
As the software environment becomes more complicated, can your app sec program actually become more simplified? See how machine learning can streamline your app sec process by highlighting vulnerabilities that are most critical to your unique enterprise, allowing you to focus on issues of most risk to you. 

Practical advice for securing DevOps: how to code securely without slowing down developers
As enterprises move towards DevOps, deployment cycles get squeezed.  How do you balance speed with security?  The two do not have to be mutually exclusive. In this session, we will share best practices from customers of market leading HPE Security Fortify. See how the best app sec programs deliver more secure code, faster.

2017 Hot Topics at Gartner

Gartner also has many sessions filled with content for security professionals. Some of the hot topics this year include privacy and data security, enabling safer cloud computing, risks and opportunities of the Internet of Things, data security and risk governance, and mobile security for digital business. HPE Security can help you navigate and leverage these topics to make you and your business successful.

Haven’t registered yet? Our customers and prospects can register here with promo code SECSP60 for a discounted full conference pass, courtesy of HPE Security! Looking forward to seeing you at the show.

The post Join HPE Security at the Gartner Security & Risk Management Summit appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/security/join-hpe-security-gartner-security-risk-management-summit/feed/ 0
Data Masking Addresses the Changing Threat and Compliance Landscape https://www.voltage.com/fpe/data-masking-addresses-changing-threat-compliance-landscape/ https://www.voltage.com/fpe/data-masking-addresses-changing-threat-compliance-landscape/#respond Thu, 18 May 2017 18:25:55 +0000 https://www.voltage.com/?p=16938 HPE Security – Data Security is pleased to be recognized in Gartner’s Market Guide for Data Masking, Published: 6 February 2017, Analyst(s): Marc-Antoine Meunier, Ayal Tirosh. As a leading visionary in the prior Magic Quadrant for Data Masking Technology, Worldwide, published: Dec 2015, underpinned by of our 10 year leadership in Format-Preserving Encryption technology that […]

The post Data Masking Addresses the Changing Threat and Compliance Landscape appeared first on HPE Security - Data Security.

]]>
HPE Security – Data Security is pleased to be recognized in Gartner’s Market Guide for Data Masking, Published: 6 February 2017, Analyst(s): Marc-Antoine Meunier, Ayal Tirosh. As a leading visionary in the prior Magic Quadrant for Data Masking Technology, Worldwide, published: Dec 2015, underpinned by of our 10 year leadership in Format-Preserving Encryption technology that is now a recognised NIST standard, we welcome the new guidance from Gartner analysts Meunier and Tirosh.

The Market Guide defines Data Masking as a technology aimed at preventing the abuse of sensitive data by providing users fictitious yet realistic data instead of real and sensitive data while maintaining their ability to carry out business processes. The Data Masking market has been growing steadily for years, and Meunier expects it to grow even more in 2017, and beyond in our opinion.

The market guidance is timely – new privacy regulations such as the General Data Protection Regulation (GDPR) put additional compliance cost pressure on enterprises around the world. Massive growth in data consumption that is powering the next generation of businesses has to be balanced with the risks of sophisticated attacks to sensitive personal data. The recommendation is to look beyond traditional static masking at the approaches such as those available in HPE SecureData, enabling organizations to build a hybrid data de-identification, pseudonymization, and production protection strategy. This strategy can span traditional databases, cloud, big data ecosystems, data warehouse and mission critical platforms through powerful, dynamic Format-Preserving Encryption that reduces risk, increases data utility, and simplifies compliance.

This important Market Guide comes on the heels of another Gartner publication, How Data Masking Is Evolving to Protect Data From Insiders and Outsiders, published: 28 November 2016, Analyst: Marc-Antoine Meunier. That report has specific recommendations for security and risk management leaders concerned with application and data security. The report advised that organizations should “consider using format-preserving encryption and tokenization. Together, they cover a broader spectrum of use cases and software life cycle phases.”

Format-preserving Encryption:

Format-preserving encryption (FPE) is an encryption technology that protects sensitive data by preserving the data format. It transforms data that is formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data (e.g., 9 digits for a social security number, 16 digits for a credit card number). Since no changes are needed in the data format, retrofitting to legacy applications is very simple and easy as opposed a conventional encryption that would change the data format and make the integration complex. FPE also preserves the context value, relationships and meaning, enabling business process and secure analytics.

Our HPE SecureData encryption product utilizes HPE FPE and secure stateless tokenization technologies that can be used to created masked data for use by developers in test and development to avoid the need for live data in testing. This powerful platform uses advanced HPE FPE technologies to transform live data into a neutralized, yet useful encrypted form that can still execute applications, and still be used in analytics – without unnecessary encryption which can lead to exposure and risk.

Security and risk management leaders should use data masking to desensitize or protect sensitive data, the market guide advises, and should address the changing threat and compliance landscape. In 2016, data breaches have, once again, demonstrated the growing importance of this technology market.

Key Findings:

The Market Guide for Data Masking lists these findings:

  • The evolution of threat and compliance environments continues to fuel demand for data masking (DM) solutions. This demand is further sustained by data growth within organizations and the expansion of data analytics use to drive the business.
  • Buyers are increasingly concerned with the risk of reidentification of masked data, especially in complex big data environments, and facing regulations such as GDPR, which require an assessment of that risk.
  • Data masking is available in an increasingly broad array of deployment options to address new and evolving data management and application architectures.

Recommendations

These are the recommendations from the Market Guide for security and risk management leaders responsible for data security and compliance:

  • Mitigate data risk and enable your organization’s digital business transformation by adopting data masking and complementary technologies such as format-preserving encryption and tokenization as a key strategy.
  • Achieve an effective and sustainable deidentification of sensitive data by assessing the reidentification risks throughout the life cycle of your data masking implementation, and favor vendors that offer tools and expertise to establish the reidentification risks.
  • Mitigate risk in applications where traditional DDM approaches have struggled by taking advantage of innovative DDM solutions at the data virtualization or alternative application tiers.

Use this link to read the full report: Market Guide for Data Masking.

The post Data Masking Addresses the Changing Threat and Compliance Landscape appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/fpe/data-masking-addresses-changing-threat-compliance-landscape/feed/ 0
Beyond the Red and Blue Pill – Maintaining Data Usability while Protected https://www.voltage.com/fpe/beyond-red-blue-pill-maintaining-data-usability-protected/ https://www.voltage.com/fpe/beyond-red-blue-pill-maintaining-data-usability-protected/#respond Thu, 11 May 2017 20:57:21 +0000 https://www.voltage.com/?p=16875 Many of us remember, or have at least have seen the meme, presented by the movie The Matrix, where Morpheus offers Neo a choice between a red pill and a blue pill. The decision is to either live in a harsh reality or choose blissful ignorance. Neo takes the red pill, preferring to explore the […]

The post Beyond the Red and Blue Pill – Maintaining Data Usability while Protected appeared first on HPE Security - Data Security.

]]>
Many of us remember, or have at least have seen the meme, presented by the movie The Matrix, where Morpheus offers Neo a choice between a red pill and a blue pill. The decision is to either live in a harsh reality or choose blissful ignorance. Neo takes the red pill, preferring to explore the harsh reality of the Matrix.

Now, if you’re a security administrator working with an application team or line of business owners, you may not realize that you offer your business a similar choice each day:

  • Do you encrypt sensitive data and leave it blissfully unusable, happy to remain at rest within your storage and servers, free from potential abuses? Or,
  • Do you make data available in the clear to applications within the harsh Matrix-like reality that exists in IT with the potential insider misuse and external threats to steal it?

In the Matrix, Agent Smith wants to attack your data, Neo!

Back in IT reality, it’s a tough call when weighing the trade-offs between business continuity and reliable access to data with the need to protect sensitive data. The “red pill” of open data usability must be considered as a risk trade-off with the “blue pill” of constant protection where one need not worry.

But what if I told you there was a Purple Pill compromise for usable data protection and it has a name? It’s format-preserving encryption and offers the best of both worlds—data usability with security.

Let’s stay in Wonderland and go further down the rabbit-hole with format-preserving encryption…

Traditional encryption forces a risk decision to encrypt or to leave data exposed in clear text. This creates gaps in security controls when data moves from at-rest, in-motion, to in-use. Instead, format-preserving encryption (FPE) maintains data in an encrypted state, while also making it useful to applications with limited or discretionary risk exposure. If data needs to be exposed for a particular use, it can be limited to specific elements of the data, such as partial masking of a phone number (think, XXX-XXX-3265). But how does FPE do it?

HPE SecureData’s FPE implementation, as an industry-leading example, are based on standardized AES encryption to protect data reliably, while keeping the format of the data unmodified. A social security number looks like one to a database without requiring schema modifications, and a date field will still look like a date to an application, and so on. At the same time, referential integrity is preserved for the data class, so Big Data analytics or database joins can be run on the encrypted data, just like normal, without an application choking on the operation.

This is a game changer when compared to traditional encryption that lacks this dynamic and is a differentiator that HPE can offer for today’s high-volume, data-intensive applications that act on protected information, without exposing unnecessary risks, such as Big Data data lake mining and IoT applications.

By addressing both utility and security, FPE doesn’t need to compromise on either aspect. Security is transformed from a business inhibitor to now the opposite—an accelerator of new initiatives while still mitigating risks. Encrypted data that retains its format looks and acts the same to applications, making it possible to avoid revealing it in clear text unless absolutely required for a specific use case.

Unleash the power of your data initiatives without the fear!

What a boring movie it would have been if Neo simply chose to live in harsh reality, but never needed to use his amazing bullet-time martial arts as a defense. He simply got on with his day without worries, while Mr. Smith gave up against a proven competitor. Now, any security administrator can be a hero to their line of business owners!

Consider today how your data can be afforded the same luxury using the data-centric approach of format-preserving encryption. If an authorized application requires data to be revealed, it would be a situational choice if required for that application, rather than a constant risk when data moves from storage, across the network and into various applications. To learn more about format-preserving encryption, products and solutions, swallow the purple pill and visit these links:

The post Beyond the Red and Blue Pill – Maintaining Data Usability while Protected appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/fpe/beyond-red-blue-pill-maintaining-data-usability-protected/feed/ 0
GDPR: Where do I start? https://www.voltage.com/gdpr/gdpr-where-do-i-start/ https://www.voltage.com/gdpr/gdpr-where-do-i-start/#respond Thu, 04 May 2017 22:12:32 +0000 https://www.voltage.com/?p=16797 As we engage with our customer base, awareness of General Data Protection Regulation (GDPR) is starting to grow. Most CISOs and CIOs are at least aware of the regulations (and the stiff penalties). They also are becoming aware that compliance with GDPR is about a year out, as the date for compliance is May 25, […]

The post GDPR: Where do I start? appeared first on HPE Security - Data Security.

]]>
As we engage with our customer base, awareness of General Data Protection Regulation (GDPR) is starting to grow. Most CISOs and CIOs are at least aware of the regulations (and the stiff penalties). They also are becoming aware that compliance with GDPR is about a year out, as the date for compliance is May 25, 2018.

Protecting personal data has always been an important issue in the European Union (EU), especially in the last 20 years. However, the new GDPR takes data protection to an entirely new level. In addition to a new set of legal requirements that necessitate both organizational and technological responses, the GDPR is applicable to almost every organization around the world that collects or processes EU Citizens’ personal data. That means that any business that controls and/or processes personal data of EU citizens falls under the GDPR scope, whether or not that business is located in the EU. Even third-party data service providers or cloud service providers that process data for enterprises that control personal data could also be liable for GDPR penalties.

Got it. Now where do I start?

The GDPR is a long read with 99 articles in fairly dense regulatory text.  There are many stakeholders to satisfy, and it can be difficult to map the articles to IT use cases.  But most would agree, the #1 challenge is: how to get started.

Here’s how we can help. This week, Hewlett Packard Enterprise (HPE) Software announced the availability of a GDPR Starter Kit, which helps organizations take a critical first step in preparing for GDPR. This bundled set of software solutions assists organizations to automatically identify, classify, and take action to secure information that falls under this regulation.

There are many reasons getting started may be the greatest challenge for many organizations, for example, “data volumes often number in the billions of objects, timeframes are constrained, and determining what falls within these regulations can be cumbersome and complex,” said Joe Garber, vice president marketing, Information Management & Governance, HPE Software, in the press advisory. “The GDPR Starter Kit provides customers with an easily integrated solution set for assessing data, allowing them to take the first step in addressing data and risk management outlined in the regulation.”

The GDPR Starter Kit follows HPE’s earlier launch of a comprehensive GDPR solution portfolio, and aims to provide organizations with streamlined next steps on their paths to compliance.

GDPR Starter Kit Includes:

The GDPR Starter Kit combines world-class software, including HPE ControlPoint, HPE Structured Data Manager, HPE Content Manager and HPE SecureData in bundled solutions to help customers conduct a Personal Data Assessment and optionally encrypt data that is subject to these regulations. This unique combination of classification, information governance, and data security delivers a number of important benefits:

  • Automate assessment of structured and unstructured data, which alleviates a traditionally manual, error-prone process.
  • Quickly and cost effectively encrypt data to mitigate security breaches.
  • Take a critical step toward lifecycle and retention management to enable compliance with additional GDPR articles and corporate governance requirements.

Consulting firm PwC has just released a new GDPR-themed white paper titled, “Technology’s role in data protection – the missing link in GDPR transformation.” This new white paper is a great resource that echoes the Starter Kit’s theme of starting your GDPR journey by assessing your data.  The white paper provides a framework for practitioners and regulators on evaluating GDPR technology. At its most fundamental level, it is describing data management best practice in the context of the GDPR, something we advocate, too.

Learn more:

The post GDPR: Where do I start? appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/gdpr/gdpr-where-do-i-start/feed/ 0
At HPE, Strong AES FF1 Crypto and NIST Standards Matter https://www.voltage.com/crypto/hpe-strong-aes-ff1-crypto-nist-standards-matter/ https://www.voltage.com/crypto/hpe-strong-aes-ff1-crypto-nist-standards-matter/#respond Thu, 27 Apr 2017 22:58:50 +0000 https://www.voltage.com/?p=16771 What happened – what is the NIST announcement? On April 12th, 2017, the National Institute of Standards and Technology (NIST) announced a cryptanalytic attack on the AES FFX Format-preserving Encryption (FPE) mode FF3, and as a result, NIST may revise Special Publication 800-38G, the document that specifies approved AES FFX FPE modes. The good news […]

The post At HPE, Strong AES FF1 Crypto and NIST Standards Matter appeared first on HPE Security - Data Security.

]]>
What happened – what is the NIST announcement?

On April 12th, 2017, the National Institute of Standards and Technology (NIST) announced a cryptanalytic attack on the AES FFX Format-preserving Encryption (FPE) mode FF3, and as a result, NIST may revise Special Publication 800-38G, the document that specifies approved AES FFX FPE modes.

The good news is this announcement has no impact on HPE SecureData customers who use AES FFX Format-preserving Encryption mode FF1.

However, this announcement is disappointing news for vendors who have widely adopted and marketed the FF3 encryption mode for their FPE offerings.

This announcement is the result of research completed by Betül Durak (Rutgers University) and Serge Vaudenay (Ecole Polytechnique Fédérale de Lausanne). In January 2017, the researchers gave a presentation at the ESC (Early Symmetric Crypto) 2017 Conference and their research will likely be published in the coming year. While they have identified a potential fix for the FF3 encryption mode, NIST has not yet determined whether it will restore the cryptographic strength of the FF3 encryption mode.

As a result of the identified weaknesses in the FF3 mode, NIST no longer considers FF3 a full-strength FPE mode. NIST expects to revise Special Publication 800-38G after the details of the attack are published, and a period of public comment completed – and states it will change the FF3 specification or withdraw the approval of FF3.

What does this mean to your business?

If you are currently using a Format-Preserving Encryption vendor solution with the FF3 encryption mode, the NIST announcement suggests that you may no longer be protected by an acceptable strength solution and may be vulnerable to attacks. NIST states it “has concluded that FF3 is no longer suitable as a general-purpose FPE method”. Moreover, you may risk noncompliance with various data security regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the General Data Protection Regulation (GDPR). Furthermore, data privacy regulations and guidelines that follow or depend on NIST standards may consider similar actions based on the NIST announcement.

If you are on the cusp of an FPE vendor decision, due diligence with vendor claims is critical. With leading organizations demanding data-centric security, vendors have rushed to market with a range of proprietary solutions, or implementations of FF3 which now has an identified weakness. It’s critical when determining your data protection and privacy strategy to choose a standards-based validated and fully-approved solution. Standards matter for reliable security and audit compliance! This announcement is another example of why it is important to complete a peer review for independent validation of security assurance and proven solution strength.

If you are a SecureData customer, you know HPE FPE uses the NIST AES FF1 mode FPE standard. FF1 encryption was developed by world-leading cryptography experts . HPE is a pioneer of Format-preserving Encryption and submitted the core cryptography to NIST for the AES FF1 mode FPE standard. HPE’s AES FF1 is fundamentally different in design and in its ability to resist the classes of attack to which FF3 is now proven vulnerable.

FF1 features an algorithm with strong safety margins to protect against unanticipated analytic attacks and even defend against implementation flaws. This cryptanalytic attack on FF3 is the result of the class of threat that was anticipated by HPE when it designed FF1.

Gold standard: SecureData uses the industry’s first FIPS-validated FPE

This NIST announcement underscores the importance of HPE’s April 13, 2017 News Advisory on FIPS Validation of FPE. NIST awarded FIPS 140-2 validation ONLY to FF1 mode FPE. HPE SecureData has the world’s first FIPS-validated AES-FF1 encryption configuration option to operate in strict FIPS mode.

What can you do to recover if you rely on a vendor that uses FF3 as a solution to protect your data?

Any organization using Format-Preserving Encryption products with the FF3 mode, or non-validated proprietary technology without peer review, should re-evaluate their data protection strategy in light of these risks.

HPE SecureData with Hyper FPE and Hyper SST is used by many industry-leading corporations in the world to protect their most valuable data. This includes six of the top eight U.S. payment processors; nine of the top ten U.S. banks; and major global enterprises across the telecom, energy, finance, transportation, retail, insurance, high tech, public sector, and healthcare industries.

Contact HPE Security – Data Security to learn more about Hyper FPE with HPE SecureData.

The post At HPE, Strong AES FF1 Crypto and NIST Standards Matter appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/crypto/hpe-strong-aes-ff1-crypto-nist-standards-matter/feed/ 0